Data Privacy

Companies worldwide are working diligently to respond to privacy challenges presented by the COVID-19 pandemic—they are addressing critical health and safety risks, coping with operational and logistical challenges presented by erratic and/or reduced customer activity and supporting a remote workforce.

Fenwick's privacy and cybersecurity group in June conducted real-time webinar polling among a diverse group of privacy, security, human resources and other legal and compliance attendees—which included analysts, attorneys and senior executives across the technology, healthcare and financial services sectors—about their companies' health data collection, COVID-19 diagnosis disclosure, work-at-home practices and return-to-work approaches. The results suggest that companies generally have insufficient remote-working security controls and data protection practices and are considering a variety of approaches to return-to-work safeguards.

Here are key takeaways from the session:

70% of companies have updated or created new employee and/or visitor privacy notices describing their collection and processing of COVID-19 health-related information. Notice revisions have covered information related to temperature checks, health conditions and symptoms, travel history and the use of track and trace and other technologies. The type of notice given was evenly distributed, including issuing an updated notice to employees (formal notice or a one-off notice); creating a special privacy notice or signage for the building lobby; sharing a questionnaire for employees and visitors to fill out before returning to the office and updating the company's HR/applicant/employee privacy notice.

Approximately 90% of employees are now handling intellectual property, confidential and personal information in the home. 88% of respondents indicated that they are handling intellectual property and other company proprietary information at home, with more than 60% of such employees handling personal information, including financial (36%), health (16%) and other sensitive personal information (16%).

Given the criticality and sensitivity of information in the home, remote-working security controls are woefully inadequate. Almost half of companies reported not having mandated wireless encryption, 36% reported that they do not require device encryption and more than 10% allow employees to bring their own devices with no restrictions on use by others in the household.

More than 50% of respondents perceive the home working environment to be mildly to severely less secure than the office. The data handling practices and lack of security controls noted above, combined with survey results conducted by third parties that indicate more than 70% of employees have not received training on mandatory standards for work-at-home security, confirm the need for companies to address this risk if work-at-home is to be sustained over the longer term. Key considerations include creating complex passwords and maintaining up-to-date security, enabling router encryption, ensuring adequate device protection, relying on trusted networks and cloud services, wiping lost devices and requiring employees to keep physical files secure.

Approximately 50% of respondents indicated that some of their offices have reopened. While about half of the respondents indicated their companies have reopened at least some of their offices, nearly 40% still have not announced their plans. As a best practice, companies are encouraged to approach the return-to-work situation in the same way they might for disaster recovery, such as defining the company's "new normal" and identifying adjustments made during the pandemic that may need to be discontinued (e.g., access controls and subscriptions/memberships). Employers should also encourage continued remote working, including in light of ever-shifting state and local shelter-in-place orders and especially for at-risk groups.

The top back-to-work health and safety measures respondents indicated they are implementing include:

  1. Staggering employee returns (81%)
  2. Drafting social/physical distancing procedures for work and common areas and adjusting workspaces by moving desks and installing barriers and one-way flows for hallways (81%)
  3. Providing hand sanitizer, masks and personal protective equipment (PPE) (78%)
  4. Creating mandatory at-home and/or workplace temperature check procedures (67%)
  5. Requiring employee/worker and/or visitor health questionnaires (56%)
  6. Requiring disclosure of COVID-19 positive testing to a workplace contact or health official (41%)
  7. Implementing building engineering solutions, including installing HEPA filters, to improve airflow (15%)
  8. Utilizing contact tracing or other tracking technology (11%)

The data indicates companies have pursued the easier, quicker-to-implement solutions with less potential privacy impact, but perceived higher efficacy at minimizing spread of the virus, such as staggering employee returns, adjusting the workspace by moving desks and providing hand sanitizer and other PPE. More difficult solutions and/or those that have greater privacy implications have not been pursued by companies—solutions such as contact tracing or moving/altering an HVAC system.

More than one-third (38%) of privacy and other professionals who responded indicated they are comfortable with contact tracing or other tracking technologies. While this was the lowest level of support for any approach to manage health and safety risks in the office, the technology is still in its early stages. Contact tracing continues to pose logistical, technical and privacy challenges around the world, and countries are at different stages of implementation.

It is, however, widely agreed that efficient contact tracing is one of the best ways to mitigate the risk of spreading COVID-19. In deciding whether to implement a track-and-trace solution, six critical actions that companies should consider include:

  1. Understanding the goal of using tracing technology (to alert individuals of potential exposure, monitor impact within offices, track employees, etc.);
  2. Encouraging (not requiring, unless by law) participation;
  3. Collecting the minimum data needed to effectively trace individuals;
  4. Enforcing tight access controls to the data and maintaining strict security, retention and deletion protocols;
  5. Defining the consequences of exposure and considering internal tools if an infection arises (e.g., badge tracking, surveillance); and
  6. Minimizing discrimination and secondary uses of data (such as keeping employee health information separate from personnel files and insurance decisions, and prohibiting use of employee health information in employment decisions).
|

Conclusion

As employees increasingly look to return to the office, companies should bear in mind key regulatory recommendations and best practices, such as the development of a comprehensive office strategy and staggering employee returns. Generally, the top challenges companies must address are related to regularly monitoring the rapidly changing situation, drafting procedures quickly with clear guidelines and navigating conflicting and evolving guidance (including juggling guidance from public officials, law enforcement, health organizations and global regulatory agencies).

Jim Koenig is Partner & Co-Chair of Fenwick & West's Privacy & Cybersecurity Practice: [email protected]. Jim Gregoire is Managing Director of the Privacy and Cybersecurity Practice: [email protected]. Sheeva Ghassemi-Vanni is Partner, Litigation and Employment Practices: [email protected]. Our team is assisting many clients in addressing legal, operational and compliance challenges related to COVID-19. If you would like to discuss those that you are facing, please contact us. View our webinar presentation for a detailed summary of applicable regulatory guidance and full poll results, and consult our other COVID-19 resources on navigating privacy considerations in the workplace.